Why Data Security Regulation is Bad

Saturday, February 11, 2012

Danny Lieberman

959779642e6e758563e80b5d83150a9f

The first government knee-jerk reaction in the face of a data breach is to create more government privacy compliance regulation.  

This is analogous to shooting yourself in the foot while you hold the loaded weapon in one hand and apply band-aids with the other.

Democracies like Israel, the US and the UK have “a tendency to extremism tempered by having to compromise” (courtesy of D.M. Thomas in his NY Times book review of Philip Roth’s “Operation Shylock“.)

In my previous post “Insecurity by compliance“, I considered the connection between being a free market democracy like the US, Israel or the UK and having  a serious privacy and credit card data security breach problem and my essay “The Israeli credit card breach” delved into the root causes why Israel’s organizations have poor data security.

Following hacking attacks recently on Israeli web sites of El Al Israel Airlines Ltd and the Tel Aviv Stock Exchange, Israel Discount Bank and First International Bank of Israel announced that they have blocked access to their websites from outside Israel.

I am not surprised that IDB and FIBI are resorting to primitive methods like blocking IP addresses.

If you’ve ever dealt with one, you know that the security management strategy of banking institutions is often highly influenced by internal politics and relies on outsourcing information security operations to security consultants, who naturally want to reduce their personal exposure as opposed to the banking institution total value at risk.

Shutting down access to a Web site based on geographic source of an IP address is a ludicrous security countermeasure for a hacker – since it is simple to mount the attack from a server or network of Windows PCs in Israel with Israeli IP addresses.

From the government end, there are cries for more Web site security compliance regulation.

I will give the Israeli Ministry of Justice credit for having done nothing for over 20 years on updating the Israeli privacy law.  There is really nothing basically wrong with the law, it just needs to be enforced.  For that, you need police officers who know how to read English – see my post on that problem here.

Even now, I suspect that the Ministry of Justice is just treading water and reacting to the recent spate of credit card and Web site breaches by the so called Saudi hacker.

Security by compliance does not improve data security, especially since attackers can reverse-engineer the minimum security requirements dictated by a standard to look for holes in a company’s defense.

Cross-posted from Israeli Software

Possibly Related Articles:
8653
breaches Compliance Enterprise Security Risk Management Government Regulation Data Loss Prevention Attacks Network Security Security hackers reverse engineering Black Listing Danny Lieberman
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.